As a new way to connect with his fans, Jack Johnson – one half of the pop-rap duo Jack & Jack, not to be confused with the laidback Hawaiian singer-songwriter of the same name – has spent the last month soliciting social media passwords, reports Ars Technica.

This would then allow Johnson to log in to your account and leave a personalised message for the fan on their own account.

Unfortunately it also opens up a number of security and legal concerns.

“While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans’ and the entertainer’s conduct,” Andrea Matwyshyn, a law professor at Northeastern University, told Ars Technica.

“From a security standpoint, the promotion’s structure needlessly exposes both fans and the entertainer to risk,” she e-mailed. “Encouraging fans to engage in bad password practices and to expose themselves to increased risk of identity theft is not looking out for fans’ best interests.

Password hoarding also places a bullseye on the entertainer as an attractive target for malicious attackers, further potentially placing fans at risk.”